Securing Website with SSL Certificate
Basically when we say that a website is being served over the HTTPS protocol all we’re really saying is that the data that gets transmitted from the web browser to the web server and vice versa is encrypted.
How to check if a website is using SSL certificate or is secured?
If a website is secured you will get a visibal mark of secured site, you can look in the upper left corner of your URL bar and you see that it says HTTPS instead of the usual HTTP. And then you also see some kind of lock indicator showing that the connection is, in fact, secure now.
That lock doesn’t just show that the connection is encrypted but it also shows that the certificate that was used in the encryption process is valid and was issued by a valid certificate issuing authority.
there’s still a few reasons why you might want to serve your content over HTTPS
the first is that in doing so it ensures the user your visitor that the content is coming from your site because you verified that you will control the domain and because it’s encrypted it ensures that the constant hasn’t been tampered with
and the second reason is because of SEO or search engine optimization back in August of 2014 google announced that they will be treating sites served over HTTPS as a ranking signal
so all things being equal if you want to rank higher than your competitors then you should serve your site over HTTPS
now sure at first glance it might not make much sense why Google would want to penalize save a cooking blog for not serving its content over HTTPS, however, I suspect one of the main reasons is because they want to ensure quality content and because you have to take a few extra steps in order to serve your site/https including purchasing an SSL certificate
it shows that you’re more invested in your site and probably is a signal that your site’s going to contain higher quality content than someone who doesn’t bother to take those steps
well basically in a nutshell what you need to do is you need to go out and purchase an SSL certificate from a certificate authority and then install it onto your web server
well there’s a couple of main issuing authorities one of the big ones is Komodo for example but I wouldn’t recommend buying directly from Komodo because they’re resellers seem to offer much better prices
for example, if you go to go get ssl calm they seem to offer the cheapest SSL certificates I’ve seen where a komodo positive ssl certificate is only 5 95 per year and if you buy it for multiple years at a time it gets as cheap as 385 per year
now there are a couple different kinds of SSL certificates and which one you need to get will probably depend on your needs and we’ll go over those in a second but the one thing you want to make sure of is that the certificate you get it uses the sha-2 or sha-256 encryption protocol and the reason for that is because Google and Microsoft are going to stop recognizing sha-1 certificates starting next month in November of 2014
now I just want to show you real quick that if you’re using OpenSSL in order to generate your certificate that you want to make sure you’re setting the sha-256 flag in order to get the proper level of encryption
another way ssl certificates differ is based on the level of verification that the issuing authority does before issuing you the certificate and basically, there are two kinds that you’re going to be dealing with
one is a domain level verification which just means that the issuing authority has verified that you own the domain usually this is done by having you put some dns record that indicates that yes I have control of this domain
and that verification happens relatively instantly basically as soon as you sign up for your certificate it’ll be issued
the other kind is what’s known as extended verification and basically what that’ll be is where you send in a bunch of documents proving that not only do you own the domain but you also are who you say you are
and that can take a few days for the ashamed company in order to verify these are also a lot more expensive but what you get is you get what’s known as green bar verification
which basically looks like this and as you can see not only is there a green a big green bar showing the user that you are you say you are but it also contains the company that the certificate was issued to
and then another variation is what’s known as a wild-card certificate now while it’s card certificate you can verify any number of subdomains that you have under your main domain for example blog your site com or WWE r site com all of those can be verified using one certificate as opposed to just the lowest level domain verification certificate where you would if you wanted to do both blog in ww you would need two different certificates
well the process isn’t that difficult and if the end result will cause all of the traffic between your site and the visitors web browser to be encrypted because it’s not issued by a trusted certificate authority all of the major web browsers are going to throw this huge warning to your visitors
if you want to check out what the warning looks like I went ahead and signed my own certificate and added it to the sub domain at self sign gel calm and you see here in Firefox it says the connection is untrusted and it talks about having an invalid security certificate because it’s self signed and in order to proceed to the site you have to add an exception to Firefox and security settings and if you click ok then you see we’re actually taken to the site and if you click the lock in the upper left-hand corner you see that the connection is secure all the data being transmitted between your browser and my server are is encrypted but the browser still freaked out because it wasn’t issued by authorized certificate authority so in Firefox in order to see the list of authorized certificate authorities you can go under options and then under advanced and then click on certificates and then click view certificates and then you’ll see a list of all the trusted certificate authorities for example komodo is in here they’re one of the big ones and then because in order to navigate to sell sign gel calm we added a security exception you’ll see the certificate that we added in this list of certificates course if anybody else goes to the site then they’ll have to also authorize the security exception as well and that’s why I self-signed certificates are just not a good idea so as I was editing this video the site cloudflare calm announced a legitimately freeway in order to serve your content over HTTPS however the one catch in order to implement with their calling Universal SSL is you have to move your site’s DNS over to cloud flares product and then all communication between your server and your visitors will be routed through CloudFlare servers so to really high level the https process relies on the TLS protocol in order to encrypt its data and the TLS protocol consists basically of two steps the first is a handshake where the web browser in the web server agree upon a symmetrical key or a shared key that they’re going to use to encrypt all future communication now in order to agree upon this shared key without some third party observer being able to inspect the traffic and read what key is going to be used the web browser and web server use what’s known as public authentication very briefly public encryption works like this when you have a shared key then you use the same key in order to encrypt and decrypt the information however the public encryption you separate the key into two parts the public encrypts the information and then a separate private key decrypt that information so with that in mind let’s take a look at an example of how public encryption works using SSL certificates and basically works like this you have your web browser and your web browser has a list of trusted certificate authorities or root certificates member i showed you those in firefox browser settings and then you have your web server and installed on your web server is your purchased SSL certificate which contains a public key and then you also on your web server have a copy of the private key which remember is separate from the public key so the web browser initiates a connection request and the web server responds by sending a copy of its certificate over and then the web browser checks that certificate to make sure that it was issued by one of its trusted certificate authorities and if it checks out then the web browser goes ahead and uses the public key that was contained in the certificate in order to encrypt a proposed shared key it sends that encrypted key over to the web server where the web server decodes it using its private key and now both the web browser and the web server have a copy of the same symmetric key which still use in order to encrypt all future communication and because anybody listening in on the communications between the browser and the server never saw the private key there’s no way that they could have been decrypted the proposed shared key sent over by the web browser now obviously this has been just a very brief high-level overview of encryption algorithms and how this whole TLS process works if you want to dive into more detail I’ve included some links in the description below and then I’ve also included a link to video which is a great explanation of how the whole publican friction system works where you can encrypt something using a public key that can then only be decrypted using a private key